What will get you in the end is sloppy opsec. Short for operations security, it encompasses a sprawling list of disciplines, including keeping PCs free of malware, encrypting e-mail and other communications, and placing an impenetrable firewall between public and personal identities.

The latest high-profile criminal defendant to get a first-hand lesson in the perils of poor opsec is Ross William Ulbricht. The 29-year-old Texan was arrested on Tuesday on allegations he was the kingpin behind Silk Road, an online drug bazaar prosecutors said arranged more than $1 billion in sales of heroin and other illicit substances to hundreds of thousands of buyers. A 39-page complaint alleges that he was known as "Dread Pirate Roberts" in Silk Road forums. An FBI agent went on to say Ulbricht controlled every aspect of the site, including crucial server infrastructure and programming code that used the Tor anonymity service and Bitcoin digital currency to conceal the identities of operators, sellers, and buyers.

Despite the elaborate technical underpinnings, however, the complaint portrays Ulbricht as a drug lord who made rookie mistakes. In an October 11, 2011 posting to a Bitcoin Talk forum, for instance, a user called "altoid" advertised he was looking for an "IT pro in the Bitcoin community" to work in a venture-backed startup. The post directed applicants to send responses to "rossulbricht at gmail dot com." It came about nine months after two previous posts—also made by a user, "altoid," to shroomery.org and Bitcoin Talk—were among the first to advertise a hidden Tor service that operated as a kind of "anonymous amazon.com." Both of the earlier posts referenced silkroad420.wordpress.com.

If altoid's solicitation for a Bitcoin-conversant IT Pro wasn't enough to make Ulbricht a person of interest in the FBI's ongoing probe, other digital bread crumbs were sure to arouse agents' suspicions. The Google+ profile tied to the rossulbricht@gmail.com address included a list of favorite videos originating from mises.org, a website of the "Mises Institute." The site billed itself as the "world center of the Austrian School of economics" and contained a user profile for one Ross Ulbricht. Several Dread Pirate Roberts postings on Silk Road cited the "Austrian Economic theory" and the works of Mises Institute economists Ludwig von Mises and Murray Rothbard in providing the guiding principles for the illicit drug market.

The clues didn't stop there. In early March 2012 someone created an account on StackOverflow with the username Ross Ulbricht and the rossulbricht@gmail.com address, the criminal complaint alleged. On March 16 at 8:39 in the morning, the account was used to post a message titled "How can I connect to a Tor hidden service using curl in php?" Less than one minute later, the account was updated to change the user name from Ross Ulbricht to "frosty." Several weeks later, the account was again updated, this time to replace the Ulbricht gmail address with frosty@frosty.com. In July 2013, a forensic analysis of the hard drives used to run one of the Silk Road servers revealed a PHP script based on curl that contained code that was identical to that included in the Stack Overflow discussion, the complaint alleged.

A cautionary tale

The sloppiness portrayed in the court documents is by no means unique to the Silk Road case. Indeed, Hector "Sabu" Monsegur, one of the leaders behind a spree of crimes carried out by Anonymous offshoot Lulzsec, reportedly accidentally joined an Anonymous IRC server from his own IP address rather than connecting through Tor. If that single error wasn't enough for authorities to identify him, Monsegur's fate was sealed when the prvt.org Internet domain frequently referenced by Sabu was briefly tied to Monsegur's real-world persona.

Wednesday's complaint comes two months after FBI agents exploited a vulnerability in the Firefox browser to unmask Tor users suspected of participating in a child pornography site. There's no evidence Silk Road was brought down through similar tactics, although at this early stage they can't be ruled out conclusively. What is more in evidence is that, like Monsegur and countless other criminal defendants before him, Ulbricht's lack of opsec was key in drawing the attention of investigators.

The complaint reads as a cautionary tale about the asymmetrical challenge in staying truly anonymous on the Internet, even when government agents or other snoops don't exploit obscure vulnerabilities or wield the massive surveillance apparatus of the National Security Agency. End users have to get it right every single time they go online without slipping up, even once. The FBI, and even grassroots investigators with the time to look, need only stay vigilant and wait to get lucky.

Promoted Comments

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

That is the point, however. It is impossible to be perfect, and that is what is required of you to be criminally active on the internet.

This level of sloppiness is just inexcusable, though. I can't fathom using your real name to ask stuff like this in a public forum when so much rides on you being anonymous.

The moron should've used a completely sanitised laptop just for illicit use - bought in cash, only running a libre Linux distro that was configured to *only* connect through Tor, completely disappearing his real-life persona, using a different username on every forum he accessed etc. Residing in the USA and ordering fake IDs that crossed a border (where they were found by customs agents) was moronic too.

Then again, the people smart enough to practice good opsec are the ones we don't know about - because they've hidden themselves well.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

The thing is, not everyone starts out intending to be a criminal mastermind. That's the problem. Most of these things he was nailed by, they were things he did before he actually started Silk Road. It's obvious he very quickly realized that he was going to turn into a criminal mastermind, and started to take precautions, but this guy did (if his linkdin profile is at all genuine) have a pretty legitimate life going before this.

Perfect Opsec is impossible if you ever want to actually enjoy the fruits of your labor as a criminal. You will always, always slip up. The people that never get caught, they're the people that do one thing, once, and never ever do it again. Crime (legitimate, heavy crime like this) is like gambling: the house always wins if you keep playing.

So he used his real name and email in October 2011, but it still took them two years to arrest the guy, even with senators calling for his head as early as June 2011? Something isn't adding up. Mindful of the recent revelations about the DEA's "reconstruction of evidence trails", I would be extremely surprised if we're getting the full story here.

It takes a very, very long time to build a case against someone like this. There are criminals that the feds have known, dead to rights, that they care criminals, for DECADES, and can't take the risk of arresting them because they know their case won't hold up in court. Thanks to the way the US legal system works, you can't prosecute the same person twice for the same crime. If they moved too soon and slipped up, and he was acquitted, that's it, he's gone, even if they found irrefutable evidence the next day that he did it.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

That is the point, however. It is impossible to be perfect, and that is what is required of you to be criminally active on the internet.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

That is the point, however. It is impossible to be perfect, and that is what is required of you to be criminally active on the internet.

This level of sloppiness is just inexcusable, though. I can't fathom using your real name to ask stuff like this in a public forum when so much rides on you being anonymous.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

Maybe the same mindset that would urge you towards ruthless caution also informs you against those sorts of ventures in the first place.

Years of surveillance over many sites; you vs. a small army of people hell bent on proving something through someone. He hadn't a chance and not that he deserved one if he is guilty. Selling smack and guns is just bad for folks in general. But about all of that surveillance...wow. Seems they - the real spies - have their media distraction....or 'victory', as they will surely trumpet this.

Tor is dead....busted....broken wide open...there is simply no anonymity on the net. It's a ruse behind which people act.....like people will.

One has to wonder if the ends justify the means with law enforcement. The cost of the chase just doesn't seem to measure up to the kill sometimes. Were there no meth labs nearby in Texas to bust? No oxy stashes to raid? It seems like they do things just to do it; to prove it can be done, that nobody is beyond them. There is certainly something to that - to keep people scared - but why should we have to foot the bill for these boots on our necks? I suspect that his neighbors saw him selling guns to a guy in Europe and smack to a Canadian far less problematic than the crack house 2 doors down.

Years of surveillance over many sites; you vs. a small army of people hell bent on proving something through someone. He hadn't a chance and not that he deserved one if he is guilty. Selling smack and guns is just bad for folks in general. But about all of that surveillance...wow. Seems they - the real spies - have their media distraction....or 'victory', as they will surely trumpet this.

Tor is dead...there is simply no anonymity on the net. It's a ruse to get people to do bad stuff.

One has to wonder if the ends justify the means with law enforcement. The cost of the chase just doesn't seem to measure up to the kill sometimes. Were there no meth labs nearby in Texas to bust? No oxy stashes to raid? It seems like they do things just to do it; to prove it can be done, that nobody is beyond them. There is certainly something to that - to keep people scared - but why should we have to foot the bill for these boots on our necks? I suspect that his neighbors saw him selling guns to a guy in Europe and smack to a Canadian far less problematic than the crack house 2 doors down.

You miss the point. A month or two ago lots of articles came out about the Silk Road. It entered public consiousness and so was snuffed out.

Years of surveillance over many sites; you vs. a small army of people hell bent on proving something through someone. He hadn't a chance and not that he deserved one if he is guilty. Selling smack and guns is just bad for folks in general. But about all of that surveillance...wow. Seems they - the real spies - have their media distraction....or 'victory', as they will surely trumpet this.

Tor is dead....busted....broken wide open...there is simply no anonymity on the net. It's a ruse behind which people act.....like people will.

One has to wonder if the ends justify the means with law enforcement. The cost of the chase just doesn't seem to measure up to the kill sometimes. Were there no meth labs nearby in Texas to bust? No oxy stashes to raid? It seems like they do things just to do it; to prove it can be done, that nobody is beyond them. There is certainly something to that - to keep people scared - but why should we have to foot the bill for these boots on our necks? I suspect that his neighbors saw him selling guns to a guy in Europe and smack to a Canadian far less problematic than the crack house 2 doors down.

And what about the hits he was putting out on people? That wasn't dangerous?

Ok, to be fair, seemingly only one definite case, but he referenced a previous hit he had put out as well. Maybe he was just blowing smoke though. Does it really matter how many anyway?

Years of surveillance over many sites; you vs. a small army of people hell bent on proving something through someone. He hadn't a chance and not that he deserved one if he is guilty. Selling smack and guns is just bad for folks in general. But about all of that surveillance...wow. Seems they - the real spies - have their media distraction....or 'victory', as they will surely trumpet this.

Tor is dead...there is simply no anonymity on the net. It's a ruse to get people to do bad stuff.

One has to wonder if the ends justify the means with law enforcement. The cost of the chase just doesn't seem to measure up to the kill sometimes. Were there no meth labs nearby in Texas to bust? No oxy stashes to raid? It seems like they do things just to do it; to prove it can be done, that nobody is beyond them. There is certainly something to that - to keep people scared - but why should we have to foot the bill for these boots on our necks? I suspect that his neighbors saw him selling guns to a guy in Europe and smack to a Canadian far less problematic than the crack house 2 doors down.

You miss the point. A month or two ago lots of articles came out about the Silk Road. It entered public [sic]consiousness and so was snuffed out.

That doesn't show me missing the point...you just made mine stronger. If they want you, you can't hide. Thanks.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

That is the point, however. It is impossible to be perfect, and that is what is required of you to be criminally active on the internet.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

That is the point, however. It is impossible to be perfect, and that is what is required of you to be criminally active on the internet.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

That is the point, however. It is impossible to be perfect, and that is what is required of you to be criminally active on the internet.

This level of sloppiness is just inexcusable, though. I can't fathom using your real name to ask stuff like this in a public forum when so much rides on you being anonymous.

Are you under the impression that all criminals are necessarily intelligent?

Years of surveillance over many sites; you vs. a small army of people hell bent on proving something through someone. He hadn't a chance and not that he deserved one if he is guilty. Selling smack and guns is just bad for folks in general. But about all of that surveillance...wow. Seems they - the real spies - have their media distraction....or 'victory', as they will surely trumpet this.

Tor is dead...there is simply no anonymity on the net. It's a ruse to get people to do bad stuff.

One has to wonder if the ends justify the means with law enforcement. The cost of the chase just doesn't seem to measure up to the kill sometimes. Were there no meth labs nearby in Texas to bust? No oxy stashes to raid? It seems like they do things just to do it; to prove it can be done, that nobody is beyond them. There is certainly something to that - to keep people scared - but why should we have to foot the bill for these boots on our necks? I suspect that his neighbors saw him selling guns to a guy in Europe and smack to a Canadian far less problematic than the crack house 2 doors down.

You miss the point. A month or two ago lots of articles came out about the Silk Road. It entered public [sic]consiousness and so was snuffed out.

That doesn't show me missing the point...you just made mine stronger. If they want you, you can't hide. Thanks.

OOPS! Totally clicked reply on the wrong post.

EDIT: I'm a mess. Actually I didn't reply to the wrong post. You said wasn't there some meth labs in texas to bust. That misses the point. The point is to take out a high profile target.

The moron should've used a completely sanitised laptop just for illicit use - bought in cash, only running a libre Linux distro that was configured to *only* connect through Tor, completely disappearing his real-life persona, using a different username on every forum he accessed etc. Residing in the USA and ordering fake IDs that crossed a border (where they were found by customs agents) was moronic too.

Then again, the people smart enough to practice good opsec are the ones we don't know about - because they've hidden themselves well.

So he used his real name and email in October 2011, but it still took them two years to arrest the guy, even with senators calling for his head as early as June 2011? Something isn't adding up. Mindful of the recent revelations about the DEA's "reconstruction of evidence trails", I would be extremely surprised if we're getting the full story here.

And what about the hits he was putting out on people? That wasn't dangerous?

Ok, to be fair, seemingly only one definite case, but he referenced a previous hit he had put out as well. Maybe he was just blowing smoke though. Does it really matter how many anyway?

Trying to put an objective eye on 'levels of danger' is not useful and not what I said.

NSA / Feds need a win right now and it needs to be a big one and one that involves all of their spy stuff in order to justify the expense - the man hours, etc - and to show the public that the leaks and revelations that came with them, are a bad thing. "The leaks are bad because look at all the good we do" -type of thing.

Sure the silk road guy was 'dangerous'. I never said he wasn't, but like I said, measuring threat is tough unless it is immediate, which I maintain that in Texas one could throw a stone and uncover a more immediate and local threat to Texans.

I don't know about you guys, but if I was a criminal mastermind operating an illegal multimillion dollar business, I don't think I would make myself EVER trackable. I'm thinking buying a laptop with cash from an untrackable source, only use public wifi hotspots at random locations with no discernible pattern, only use throw away pre-paid cell phones IF ever communicating by phone, etc., etc., etc.

I'm sure proper OPSEC is MUCH harder than one would think, but still, you'd think that an online kingpin like this guy would always have his bases covered. No slip-ups...EVER.

The thing is, not everyone starts out intending to be a criminal mastermind. That's the problem. Most of these things he was nailed by, they were things he did before he actually started Silk Road. It's obvious he very quickly realized that he was going to turn into a criminal mastermind, and started to take precautions, but this guy did (if his linkdin profile is at all genuine) have a pretty legitimate life going before this.

Perfect Opsec is impossible if you ever want to actually enjoy the fruits of your labor as a criminal. You will always, always slip up. The people that never get caught, they're the people that do one thing, once, and never ever do it again. Crime (legitimate, heavy crime like this) is like gambling: the house always wins if you keep playing.

Years of surveillance over many sites; you vs. a small army of people hell bent on proving something through someone. He hadn't a chance and not that he deserved one if he is guilty. Selling smack and guns is just bad for folks in general. But about all of that surveillance...wow. Seems they - the real spies - have their media distraction....or 'victory', as they will surely trumpet this.

Tor is dead...there is simply no anonymity on the net. It's a ruse to get people to do bad stuff.

One has to wonder if the ends justify the means with law enforcement. The cost of the chase just doesn't seem to measure up to the kill sometimes. Were there no meth labs nearby in Texas to bust? No oxy stashes to raid? It seems like they do things just to do it; to prove it can be done, that nobody is beyond them. There is certainly something to that - to keep people scared - but why should we have to foot the bill for these boots on our necks? I suspect that his neighbors saw him selling guns to a guy in Europe and smack to a Canadian far less problematic than the crack house 2 doors down.

You miss the point. A month or two ago lots of articles came out about the Silk Road. It entered public consiousness and so was snuffed out.

I call bullshit on their claims. I bet some NSA algorithms figured everything out, fed it through the SOD, and then afterwards they combed through everything for every bit of evidence they could find ('building the false chain of evidence').

So he used his real name and email in October 2011, but it still took them two years to arrest the guy, even with senators calling for his head as early as June 2011? Something isn't adding up. Mindful of the recent revelations about the DEA's "reconstruction of evidence trails", I would be extremely surprised if we're getting the full story here.

It takes a very, very long time to build a case against someone like this. There are criminals that the feds have known, dead to rights, that they care criminals, for DECADES, and can't take the risk of arresting them because they know their case won't hold up in court. Thanks to the way the US legal system works, you can't prosecute the same person twice for the same crime. If they moved too soon and slipped up, and he was acquitted, that's it, he's gone, even if they found irrefutable evidence the next day that he did it.

So he used his real name and email in October 2011, but it still took them two years to arrest the guy, even with senators calling for his head as early as June 2011? Something isn't adding up. Mindful of the recent revelations about the DEA's "reconstruction of evidence trails", I would be extremely surprised if we're getting the full story here.

It takes a very, very long time to build a case against someone like this. There are criminals that the feds have known, dead to rights, that they care criminals, for DECADES, and can't take the risk of arresting them because they know their case won't hold up in court. Thanks to the way the US legal system works, you can't prosecute the same person twice for the same crime. If they moved too soon and slipped up, and he was acquitted, that's it, he's gone, even if they found irrefutable evidence the next day that he did it.

They will also, as we have seen over the last months, do anything they want....limited anarchy if you will, and time and again put the law below them. Thus, I too would be surprised if not only did we have the full story, but that they had this guy "dead to rights", as it were. They needed a win, one with the right spin on it, and damned if they weren't going to get it. This guy - as bad as he was - was perhaps lingering too near the cross hairs.... a convenience.

If they did have his head well and truly on a spike, then like I said, anonymity is simply nonexistent.

So he used his real name and email in October 2011, but it still took them two years to arrest the guy, even with senators calling for his head as early as June 2011? Something isn't adding up. Mindful of the recent revelations about the DEA's "reconstruction of evidence trails", I would be extremely surprised if we're getting the full story here.

Thank you Sarielite I was going to say the same thing myself. I doubt the information they feed the press is the whole story on it.

So he used his real name and email in October 2011, but it still took them two years to arrest the guy, even with senators calling for his head as early as June 2011? Something isn't adding up. Mindful of the recent revelations about the DEA's "reconstruction of evidence trails", I would be extremely surprised if we're getting the full story here.

It takes a very, very long time to build a case against someone like this. There are criminals that the feds have known, dead to rights, that they care criminals, for DECADES, and can't take the risk of arresting them because they know their case won't hold up in court. Thanks to the way the US legal system works, you can't prosecute the same person twice for the same crime. If they moved too soon and slipped up, and he was acquitted, that's it, he's gone, even if they found irrefutable evidence the next day that he did it.

You are correct - I've seen them blow cases by acting prematurely against some of my... people I've been in contact with. Usually there's an informant, and usually that informant is not as accurate/credible as the DEA or [insert 3 letter acronym here] initially believed.

Somehow, the way Ross was caught seems completely plausible and completely implausible at the same time.

I can see someone slipping up online here and there. But using their real name gmail address?? That seems TOO easy for a slip up. Almost like someone was framing someone else this whole time...

you don't think about super paranoid security precautions when it's just a small-time side project that you're doing to help pay the bills, but google remembers everything and you only have to slip up once to get busted if they mount a full-scale investigation.